A digital signature has been widely used for the purpose of prevention of forgery and falsification of an electronic document or personal authentication. In the past, as a digital signature, a pair of a secret key and a public key are generated in advance and held. Particularly, the secret key is commonly stored in an IC card or the like and managed by a signer so that the secret key can be used by only the signer and kept secret from other people. The signer can generate a digital signature for an arbitrary electronic document using the secret key, and a verifier can verify that a set of the digital signature and the electronic document is right (neither forged nor falsified) using a public key. As a digital signature algorithm, there are an RSA, a DSA, a Schnorr digital signature, and the like, and a public key infrastructure (PKI) is constructed using the algorithm.
Meanwhile, biometric authentication of performing personal authentication based on biometric information has an advantage in which it is not lost, not forgotten, and not stolen compared to authentication based on a card or a password, and can implement personal authentication having high convenience and high resistance to impersonation. In a common biometric authentication system, feature data (template) is extracted from user's biometric information and held. At the time of authentication, feature data is extracted from the biometric information of the user, and when the extracted feature data is determined to be identical to (sufficiently similar to) the template, the authentication succeeds. However, it is difficult to replace biometric information such as a fingerprint or a vein. For this reason, if a template leaks, it is difficult to recover lifetime security.
With respect to this problem, a technique (a biometric key generation technique) of generating a secret key from biometric information while protecting biometric information is disclosed in Non Patent Document 1. In this technique, at the time of registration, helper data H=F(X,K) is generated such that a secret key K is embedded in biometric information X in an indivisible form. At the time of key recovery, biometric information X′ is acquired again, and a secret key K′=G(X′,H) is recovered using the helper data H. If X′ is sufficiently close to X, for example, an error correction code technique is used for an embedding function F and a recovery function G so that K′=K is held.
In the technique disclosed in Non Patent Document 1, since the helper data is necessarily needed at the timing of signing, a helper data repository and a device through which a signature generation terminal accesses the helper data are necessary. When the helper data is kept in the IC card or the like, the user needs to carry belongings for signing, and thus convenience is lowered. However, when the helper data is kept in a local terminal, a digital signature can be generated only from the terminal, and thus a use thereof is limited. Further, when the helper data is kept in a server, a digital signature can be generated only from a terminal connected to a network, and there is a problem in that it takes a time to generate a digital signature since communication with the server is performed for each digital signature.
Further, in a technique disclosed in Non Patent Document 2, a digital signature system using biometric information is proposed. However, security thereof has been discussed under the assumption that a biometric information distribution is a uniform distribution. However, in reality, the biometric information distribution is commonly a biased distribution rather than a uniform distribution. In this case, it is a problem to secure security.